Skip to content
Commits on May 6, 2008
  1. @gregkh

    Linux 2.6.25.2

    gregkh committed May 6, 2008
  2. @gregkh

    fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

    Al Viro committed with gregkh May 6, 2008
    commit 0b2bac2 upstream.
    
    fcntl_setlk()/close() race prevention has a subtle hole - we need to
    make sure that if we *do* have an fcntl/close race on SMP box, the
    access to descriptor table and inode->i_flock won't get reordered.
    
    As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
    STORE descriptor table entry, LOAD inode->i_flock with not a single
    lock in common on both sides.  We do have BKL around the first STORE,
    but check in locks_remove_posix() is outside of BKL and for a good
    reason - we don't want BKL on common path of close(2).
    
    Solution is to hold ->file_lock around fcheck() in there; that orders
    us wrt removal from descriptor table that preceded locks_remove_posix()
    on close path and we either come first (in which case eviction will be
    handled by the close side) or we'll see the effect of close and do
    eviction ourselves.  Note that even though it's read-only access,
    we do need ->file_lock here - rcu_read_lock() won't be enough to
    order the things.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on May 1, 2008
  1. @gregkh

    Linux 2.6.25.1

    gregkh committed May 1, 2008
  2. @gregkh

    Fix dnotify/close race (CVE-2008-1375)

    Al Viro committed with gregkh May 1, 2008
    commit 214b704 upstream.
    
    We have a race between fcntl() and close() that can lead to
    dnotify_struct inserted into inode's list *after* the last descriptor
    had been gone from current->files.
    
    Since that's the only point where dnotify_struct gets evicted, we are
    screwed - it will stick around indefinitely.  Even after struct file in
    question is gone and freed.  Worse, we can trigger send_sigio() on it at
    any later point, which allows to send an arbitrary signal to arbitrary
    process if we manage to apply enough memory pressure to get the page
    that used to host that struct file and fill it with the right pattern...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @torvalds @gregkh

    drivers/net/tehuti: use proper capability check for raw IO access

    torvalds committed with gregkh Apr 29, 2008
    commit 6203554 in mainline.
    
    Yeah, in practice they both mean "root", but Alan correctly points out
    that anybody who gets to do raw IO space accesses should really be using
    CAP_SYS_RAWIO rather than CAP_NET_ADMIN.
    
    Pointed-out-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    hrtimer: raise softirq unlocked to avoid circular lock dependency

    Thomas Gleixner committed with gregkh Apr 29, 2008
    commit 0c96c59 upstream
    
    The scheduler hrtimer bits in 2.6.25 introduced a circular lock
    dependency in a rare code path:
    
    =======================================================
    [ INFO: possible circular locking dependency detected ]
    2.6.25-sched-devel.git-x86-latest.git #19
    -------------------------------------------------------
    X/2980 is trying to acquire lock:
     (&rq->rq_lock_key#2){++..}, at: [<ffffffff80230146>] task_rq_lock+0x56/0xa0
    
    but task is already holding lock:
     (&cpu_base->lock){++..}, at: [<ffffffff80257ae1>] lock_hrtimer_base+0x31/0x60
    
    which lock already depends on the new lock.
    
    The scenario which leads to this is:
    
    posix-timer signal is delivered
     -> posix-timer is rearmed
        timer is already expired in hrtimer_enqueue()
         -> softirq is raised
    
    To prevent this we need to move the raise of the softirq out of the
    base->lock protected code path.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @gregkh

    x86: Fix 32-bit x86 MSI-X allocation leakage

    PJ Waskiewicz committed with gregkh Apr 28, 2008
    commit 9d9ad4b upstream
    
    This bug was introduced in the 2.6.24 lguest merge, where
    MSI-X vector allocation will eventually fail.  The cause is the new
    bit array tracking used vectors is not getting cleared properly on
    IRQ destruction on the 32-bit APIC code.
    
    This can be seen easily using the ixgbe 10 GbE driver on multi-core
    systems by simply loading and unloading the driver a few times.
    Depending on the number of available vectors on the host system, the
    MSI-X allocation will eventually fail, and the driver will only be
    able to use legacy interrupts.
    
    Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    alpha: unbreak OSF/1 (a.out) binaries

    Ivan Kokshaysky committed with gregkh Apr 24, 2008
    commit 2444e56 upstream
    
    
    OSF/1 brk(2) was broken by following one-liner in sys_brk()
    (commit 4cc6028):
    
    -	if (brk < mm->end_code)
    +	if (brk < mm->start_brk)
    		goto out;
    
    The problem is that osf_set_program_attributes()
    does update mm->end_code, but not mm->start_brk,
    which still contains inappropriate value left from
    binary loader, so brk() always fails.
    
    Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @avasquez01 @gregkh

    SCSI: qla2xxx: Correct regression in relogin code.

    avasquez01 committed with gregkh Apr 27, 2008
    commit: 666301e upstream
    
    
    Commit 63a8651 ([SCSI] qla2xxx:
    Correct infinite-login-retry issue.) introduced a small
    regression where a successful relogin would result in an fcport's
    loop_id to be incorrectly reset to FC_NO_LOOP_ID.  Only clear-out
    loopid, if retries have been 'truly' exhausted.
    
    Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @gregkh

    RDMA/nes: Fix adapter reset after PXE boot

    Chien Tung committed with gregkh Apr 27, 2008
    commit: bc5698f upstream
    
    After PXE boot, the iw_nes driver does a full reset to ensure the card
    is in a clean state.  However, it doesn't wait for firmware to
    complete its work before issuing a port reset to enable the ports,
    which leads to problems bringing up the ports.
    
    The solution is to wait for firmware to complete its work before
    proceeding with port reset.
    
    This bug was flagged by Roland Dreier <rolandd@cisco.com>.
    
    Signed-off-by: Chien Tung <ctung@neteffect.com>
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @gregkh

    hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ

    Bodo Stroesser committed with gregkh Apr 28, 2008
    commit d7b41a2 upstream
    
    When using hrtimer with timer->cb_mode == HRTIMER_CB_SOFTIRQ
    in some cases the clockevent is not programmed.
    This happens, if:
     - a timer is rearmed while it's state is HRTIMER_STATE_CALLBACK
     - hrtimer_reprogram() returns -ETIME, when it is called after
       CALLBACK is finished. This occurs if the new timer->expires
       is in the past when CALLBACK is done.
    In this case, the timer needs to be removed from the tree and put
    onto the pending list again.
    
    The patch is against 2.6.22.5, but AFAICS, it is relevant
    for 2.6.25 also (in run_hrtimer_pending()).
    
    Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @gregkh

    mm: fix possible off-by-one in walk_pte_range()

    Johannes Weiner committed with gregkh Apr 28, 2008
    commit 556637c upstream
    
    
    After the loop in walk_pte_range() pte might point to the first address after
    the pmd it walks.  The pte_unmap() is then applied to something bad.
    
    Spotted by Roel Kluin and Andreas Schwab.
    
    Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
    Cc: Roel Kluin <12o3l@tiscali.nl>
    Cc: Andreas Schwab <schwab@suse.de>
    Acked-by: Matt Mackall <mpm@selenic.com>
    Acked-by: Mikael Pettersson <mikpe@it.uu.se>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @gregkh

    dz: test after postfix decrement fails in dz_console_putchar()

    Roel Kluin committed with gregkh Apr 28, 2008
    commit 1ecf0d0 upstream
    
    When loops reaches 0 the postfix decrement still subtracts, so the subsequent
    test fails.
    
    Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
    Acked-by: Maciej W. Rozycki <macro@linux-mips.org>
    Cc: Johannes Weiner <hannes@saeurebad.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @gregkh

    rtc-pcf8583 build fix

    David Brownell committed with gregkh Apr 28, 2008
    commit 77459b0 upstream
    
    
    Fix bogus #include in rtc-pcf8583, so it compiles on platforms that
    don't support PC clone RTCs.  (Original issue noted by Adrian Bunk.)
    
    Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
    Cc: Adrian Bunk <bunk@kernel.org>
    Acked-by: Alessandro Zummo <a.zummo@towertech.it>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @JeffMoyer @gregkh

    aio: io_getevents() should return if io_destroy() is invoked

    JeffMoyer committed with gregkh Apr 28, 2008
    commit e92adcb upstream
    
    This patch wakes up a thread waiting in io_getevents if another thread
    destroys the context.  This was tested using a small program that spawns a
    thread to wait in io_getevents while the parent thread destroys the io context
    and then waits for the getevents thread to exit.  Without this patch, the
    program hangs indefinitely.  With the patch, the program exits as expected.
    
    Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: Zach Brown <zach.brown@oracle.com>
    Cc: Christopher Smith <x@xman.org>
    Cc: Benjamin LaHaise <bcrl@kvack.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @gregkh

    tehuti: move ioctl perm check closer to function start (CVE-2008-1675)

    Jeff Garzik committed with gregkh Apr 25, 2008
    Commit f946dff upstream
    
    Noticed by davem.
    
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @gregkh

    tehuti: check register size (CVE-2008-1675)

    Francois Romieu committed with gregkh Apr 20, 2008
    commit 6131a26 upstream
    
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @gregkh

    b43: Workaround DMA quirks

    Michael Buesch committed with gregkh Apr 24, 2008
    commit 1033b3e upstream
    
    Some mainboards/CPUs don't allow DMA masks bigger than a certain limit.
    Some VIA crap^h^h^h^hdevices have an upper limit of 0xFFFFFFFF. So in this
    case a 64-bit b43 device would always fail to acquire the mask.
    Implement a workaround to fallback to lower DMA mask, as we can always
    also support a lower mask.
    
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
  17. @gregkh

    b43: Add more btcoexist workarounds

    Michael Buesch committed with gregkh Apr 24, 2008
    commit 9fc3845 upstream
    
    This adds more workarounds for devices with broken BT bits.
    
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @gregkh

    b43: Workaround invalid bluetooth settings

    Michael Buesch committed with gregkh Apr 24, 2008
    commit 1855ba7 upstream.
    
    This adds a workaround for invalid bluetooth SPROM settings
    on ASUS PCI cards.
    This will stop the microcode from poking with the BT GPIO line.
    This fixes data transmission on this device, as the BT GPIO line
    is used for something TX related on this device
    (probably the power amplifier or the radio).
    This also adds a modparam knob to help debugging this in the future,
    as more devices with this bug may show up.
    
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @lwfinger @gregkh

    ssb: Fix all-ones boardflags

    lwfinger committed with gregkh Apr 24, 2008
    commit 4503183 upstream
    
    In the SSB SPROM a field set to all ones means the value
    is not defined in the SPROM.
    In case of the boardflags, we need to set them to zero
    to avoid confusing drivers. Drivers will only check the
    flags by ANDing.
    
    
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Gabor Stefanik <netrolller.3d@gmail.com>
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @dotdash @gregkh

    x86, pci: fix off-by-one errors in some pirq warnings

    dotdash committed with gregkh Mar 31, 2008
    commit 223ac2f upstream.
    
    fix bogus pirq warnings reported in:
    
      http://bugzilla.kernel.org/show_bug.cgi?id=10366
    
    safe to be backported to v2.6.25 and earlier.
    
    Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @eparis @gregkh

    SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts

    eparis committed with gregkh Apr 21, 2008
    commit 0f5e642 upstream
    
    The Fedora installer actually makes multiple NFS mounts before it loads
    selinux policy.  The code in selinux_clone_mnt_opts() assumed that the
    init process would always be loading policy before NFS was up and
    running.  It might be possible to hit this in a diskless environment as
    well, I'm not sure.  There is no need to BUG_ON() in this situation
    since we can safely continue given the circumstances.
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Signed-off-by: James Morris <jmorris@namei.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @gregkh

    S2io: Version update for memory leak fix during free_tx_buffers

    Sreenivasa Honnur committed with gregkh Apr 25, 2008
    commit 10371b5 upstream
    
    - Updated version number.
    
    Signed-off-by: Santosh Rastapur <santosh.rastapur@neterion.com>
    Signed-off-by: Ramkrishna Vepa <ram.vepa@neterion.com>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @gregkh

    S2io: Fix memory leak during free_tx_buffers

    Sreenivasa Honnur committed with gregkh Apr 25, 2008
    commit b35b3b4 upstream
    
    - Fix the memory leak during free_tx_buffers.
    
    Signed-off-by: Santosh Rastapur <santosh.rastapur@neterion.com>
    Signed-off-by: Ramkrishna Vepa <ram.vepa@neterion.com>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @gregkh

    V4L: cx88: enable radio GPIO correctly

    Steven Toth committed with gregkh Apr 24, 2008
    (cherry picked from commit 6b92b3b)
    
    This patch fixes an issue on the HVR1300, where GPIO is blown away due to
    the radio input being undefined, breaking the functionality of the DVB
    demodulator and MPEG2 encoder used on the cx8802 mpeg TS port.
    
    This is a minimal patch for 2.6.26 and the -stable series.  This must be
    fixed a better way for 2.6.27.
    
    Signed-off-by: Steven Toth <stoth@hauppauge.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @mchehab @gregkh

    V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken

    mchehab committed with gregkh Apr 24, 2008
    (cherry picked from commit 867e835)
    
    Fix bugzilla #10462: "tea5761 autodetection code were broken"
    
    Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  26. @Alan-Cox @gregkh

    V4L: Fix VIDIOCGAP corruption in ivtv

    Alan-Cox committed with gregkh Apr 24, 2008
    (cherry picked from commit d2b213f)
    
    Frank Bennett reported that ivtv was causing skype to crash. With help
    from one of their developers he showed it was a kernel problem.
    VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names
    that are too long and does not truncate them so corrupts a few bytes of
    the app data area.
    
    Possibly the names also want trimming but for now this should fix the
    corruption case.
    
    Signed-off-by: Alan Cox <alan@redhat.com>
    Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. @gregkh

    RDMA/nes: Free IRQ before killing tasklet

    Roland Dreier committed with gregkh Apr 18, 2008
    commit: 4cd1e5e
    
    Move the free_irq() call in nes_remove() to before the tasklet_kill();
    otherwise there is a window after tasklet_kill() where a new interrupt
    can be handled and reschedule the tasklet, leading to a use-after-free
    crash.
    
    Signed-off-by: Roland Dreier <rolandd@cisco.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28. @gregkh

    cgroup: fix a race condition in manipulating tsk->cg_list

    Li Zefan committed with gregkh Apr 18, 2008
    commit: 0e04388
    
    When I ran a test program to fork mass processes and at the same time
    'cat /cgroup/tasks', I got the following oops:
    
      ------------[ cut here ]------------
      kernel BUG at lib/list_debug.c:72!
      invalid opcode: 0000 [#1] SMP
      Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72)
      ...
      Call Trace:
       [<c044a5f9>] ? cgroup_exit+0x55/0x94
       [<c0427acf>] ? do_exit+0x217/0x5ba
       [<c0427ed7>] ? do_group_exit+0.65/0x7c
       [<c0427efd>] ? sys_exit_group+0xf/0x11
       [<c0404842>] ? syscall_call+0x7/0xb
       [<c05e0000>] ? init_cyrix+0x2fa/0x479
      ...
      EIP: [<c04df671>] list_del+0x35/0x53 SS:ESP 0068:ebc7df4
      ---[ end trace caffb7332252612b ]---
      Fixing recursive fault but reboot is needed!
    
    After digging into the code and debugging, I finlly found out a race
    situation:
    
    				do_exit()
    				  ->cgroup_exit()
    				    ->if (!list_empty(&tsk->cg_list))
    				        list_del(&tsk->cg_list);
    
      cgroup_iter_start()
        ->cgroup_enable_task_cg_list()
          ->list_add(&tsk->cg_list, ..);
    
    In this case the list won't be deleted though the process has exited.
    
    We got two bug reports in the past, which seem to be the same bug as
    this one:
    	http://lkml.org/lkml/2008/3/5/332
    	http://lkml.org/lkml/2007/10/17/224
    
    Actually sometimes I got oops on list_del, sometimes oops on list_add.
    And I can change my test program a bit to trigger other oops.
    
    The patch has been tested both on x86_32 and x86_64.
    
    Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
    Acked-by: Paul Menage <menage@google.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  29. @gregkh

    dm snapshot: fix chunksize sector conversion

    Mikulas Patocka committed with gregkh Apr 25, 2008
    commit: 9243626
    
    If a snapshot has a smaller chunksize than the page size the
    conversion to pages currently returns 0 instead of 1, causing:
    kernel BUG in mempool_resize.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: Milan Broz <mbroz@redhat.com>
    Signed-off-by: Alasdair G Kergon <agk@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  30. @gregkh

    USB: OHCI: fix bug in controller resume

    Alan Stern committed with gregkh Apr 25, 2008
    commit: 0d22f65
    
    This patch (as1063) fixes a bug in the way ohci-hcd resumes its
    controllers.  It leaves the Master Interrupt Enable bit turned off.
    
    If the root hub is resumed immediately this won't matter.  But if the
    root hub is suspended (say because no devices are plugged in), it won't
    ever wake up by itself.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    CC: David Brownell <david-b@pacbell.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  31. @herbertx @gregkh

    IPSEC: Fix catch-22 with algorithm IDs above 31

    herbertx committed with gregkh Apr 25, 2008
    [ Upstream commit: c5d18e9 ]
    
    As it stands it's impossible to use any authentication algorithms
    with an ID above 31 portably.  It just happens to work on x86 but
    fails miserably on ppc64.
    
    The reason is that we're using a bit mask to check the algorithm
    ID but the mask is only 32 bits wide.
    
    After looking at how this is used in the field, I have concluded
    that in the long term we should phase out state matching by IDs
    because this is made superfluous by the reqid feature.  For current
    applications, the best solution IMHO is to allow all algorithms when
    the bit masks are all ~0.
    
    The following patch does exactly that.
    
    This bug was identified by IBM when testing on the ppc64 platform
    using the NULL authentication algorithm which has an ID of 251.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  32. @xemul @gregkh

    net: Fix wrong interpretation of some copy_to_user() results.

    xemul committed with gregkh Apr 25, 2008
    [ Upstream commit: 653252c ]
    
    I found some places, that erroneously return the value obtained from
    the copy_to_user() call: if some amount of bytes were not able to get
    to the user (this is what this one returns) the proper behavior is to
    return the -EFAULT error, not that number itself.
    
    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  33. @gregkh

    rose: Socket lock was not released before returning to user space

    Bernard Pidoux committed with gregkh Apr 25, 2008
    [ Upstream commit: 43837b1 ]
    
    ================================================
    [ BUG: lock held when returning to user space! ]
    ------------------------------------------------
    xfbbd/3683 is leaving the kernel with locks still held!
    1 lock held by xfbbd/3683:
      #0:  (sk_lock-AF_ROSE){--..}, at: [<c8cd1eb3>] rose_connect+0x73/0x420 [rose]
    
    INFO: task xfbbd:3683 blocked for more than 120 seconds.
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    xfbbd         D 00000246     0  3683   3669
            c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0
            c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001
            c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40
    Call Trace:
      [<c024b74b>] lock_sock_nested+0x6b/0xd0
      [<c012d450>] ? autoremove_wake_function+0x0/0x40
      [<c02488f1>] sock_fasync+0x41/0x150
      [<c0249e69>] sock_close+0x19/0x40
      [<c0175d54>] __fput+0xb4/0x170
      [<c0176018>] fput+0x18/0x20
      [<c017300e>] filp_close+0x3e/0x70
      [<c01744e9>] sys_close+0x69/0xb0
      [<c0103bda>] sysenter_past_esp+0x5f/0xa5
      =======================
    INFO: lockdep is turned off.
    
    Signed-off-by: Bernard Pidoux <f6bvp@amsat.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.